How to tell mod_auth_kerb to do its job despite no "require valid-user"

Question

I implemented a SSO authentication using mod_auth_kerb on Apache. My config looks like this:

<Location /login/ >
    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate on
    KrbAuthoritative on
    KrbVerifyKDC on
    KrbAuthRealm D.ETHZ.CH
    Krb5Keytab /etc/HTTP.keytab
    KrbSaveCredentials on
    RequestHeader set KERBEROS_USER %{REMOTE_USER}s
</Location>

My problem is that, without require valid-user, mod_auth_kerb doesn't even try to authenticate the user and KERBEROS_USER ends up being (null). If I add require valid-user, the user is authenticated automatically if the browser supports it, but gets shown an ugly modal login form (ala HTTP Basic Auth) if the browser doesn't support Kerberos Negotiate.

What I want to achieve is that if a user visits /login/, mod_auth_kerb tries to authenticate the user through Kerberos Negotiate. If that fails, a normal HTML login form will be presented to the user.

Is it possible to configure Apache/mod_auth_kerb in such a way?

Answer 1

I've done this once when I built a simple single-signon tool (to merge Kerberos with mod_auth_tkt). It required a little bit of chicanery:

• /webauth/login was protected by a require valid-user directive. If someone connected with valid Kerberos credentials, we got their username from REMOTE_USER, gave them an authentication cookie, and sent them on their way.

• The Apache configuration used an ErrorDocument request to redirect unauthenticated users to /webauth/require_authentication:

  ErrorDocument 401 /webauth/require_authentication

  This would perform the following actions:

  • Return a 401 result code (normally, ErrorDocuments eat your result code), and
  • Present a login form.

• The login form would do exactly what you expect: present a username/password form, validate same, and then give them the auth cookie.